The FTC just released a Request for Information (RFI) on the business practices of Cloud Computing Providers. The RFI is a tool to gather information and inform the FTC’s understanding of cloud computing – we're interested in hearing about issues from users of cloud services, academics, civil society groups, industry participants, and more. Our interests are similar to those of other regulatory colleagues in the US, UK, France, Japan, The Netherlands, and South Korea, which have recently conducted a range of inquiries into cloud computing. The public is invited to submit comments on any issue related to cloud computing, with a particular focus on issues related to market power, business practices affecting competition, and potential security risks.
Cloud Computing Overview
Cloud computing is a central part of the economy, with companies projected to spend $576 billion on cloud computing in 2023. The reliance on cloud computing is only set to increase, as industries such as healthcare and finance continue to migrate to the cloud, and as computationally intensive novel technologies such as chatbots powered by large language models proliferate.
Cloud computing is powerful and unique. Technical architecture and physical resources that may have taken months to provision and put together 20 years ago are all assembled in a matter of seconds in the cloud today. When a company runs its own datacenters, it is responsible for everything from purchasing servers and installing them, to making sure those servers have sufficient power and cooling. By contrast, when a company uses an external cloud computing provider, it can simply send a request to a provider to provision virtual infrastructure without needing to know or worry about the underlying physical infrastructure. With the click of a button or simple command, engineers can spin up a wide range of complex resources needed to back entire products or new features.
Below, we discuss three key areas of interest in cloud computing – each of which is reflected in our RFI questions.
Single Points of Failure
Outages from large cloud providers have the potential for widespread impact, due to the fact that many large parts of the economy are reliant on them. This isn’t just a hypothetical – recent outages have taken down large swaths of the internet for hours at a time. This issue is particularly salient in certain industries – as outlined by a recent Treasury Department report that highlighted concerns from financial institutions about the potential “cascading impact across the broader financial sector” from vulnerabilities or incidents at a major cloud provider.
Security in Cloud Computing
Cloud computing provides customers with powerful tools and may come with a range of security risks. For instance, the National Security Agency recently highlighted one such issue – misconfiguration of cloud resources – in a guidance document: “misconfiguration of cloud resources remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.” The FTC is no stranger to security issues in the cloud, having brought numerous enforcement actions – including Drizly, Chegg, Skymed, Ascension, and Uber – related to cloud security. Such security issues also raise the question of how responsibility for securing customers’ personal information should be shared between cloud providers and their users. “We’ve normalized the fact that the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations, who are often least aware of the threat and least capable of protecting themselves,” highlighted CISA Director, Jen Easterly, in recent remarks.
Market Power and Business Practices Affecting Competition in Cloud Computing
The FTC is also interested in hearing about issues related to market power and business practices affecting competition. For instance, if there are few cloud provider options, it is possible that customers may have to agree to less competitive contract terms. Pricing practices can also be confusing due to the wide array of services offered by cloud computing providers, each with complex pricing structures – making it difficult for companies to compare contract terms and forecast or control their spending on cloud. Lastly, the structure and design of offerings from cloud providers may make it more difficult for customers to switch to another provider for the majority of their cloud usage, or to mix and match offerings from multiple providers.
Take Action and Comment on the RFI
We want to hear from you. Please file a comment at https://www.regulations.gov/docket/FTC-2023-0028. No need to answer everything, just areas you’re interested in. Finally, please do not include any confidential or sensitive information as your comment will be public. The deadline to submit comments is June 21, 2023.
We look forward to hearing from you.
We thank staff across the Office of Technology, the Bureau of Competition, the Bureau of Consumer Protection, and the Office of the General Counsel who collaborated on this effort (in alphabetical order): Krisha Cerilli, Mark Eichorn, Patricia Galvan, Alex Gaynor, Hillary Greene, Ben Hendricks, Elisa Jillson, Nick Jones, Kevin Moriarty, John Newman, and Stephanie T. Nguyen.
9https://home.treasury.gov/news/press-releases/jy1252 - “Many financial institutions have expressed concern that a cyber vulnerability or incident at one CSP may potentially have a cascading impact across the broader financial sector.”
10Mitigating Cloud Vulnerabilities (page 4)